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Abstract 

In [17,19] Peter Hancock and Anton Setzer introduced rules to extend Martin-L6f 's 
type theory in order to represent interactive programming. The rules essentially re- 
flect the existence of weakly final coalgebras for a general form of polynomial functor. 
The standard rules of dependent type theory allow the definition of inductive types, 
which correspond to initial algebras. Coalgebraic types are not represented in a di- 
rect way. In this article we show the existence of final coalgebras in intensional type 
theory for these kind of functors, where we require uniqueness of identity proofs 
(UIP) for the set of states S and the set of commands C which determine the func- 
tor. We obtain the result by identifying programs which have essentially the same 
behaviour viz are bisimular. This proves the rules of Setzer and Hancock admissi- 
ble in ordinary type theory, if we replace definitional equality by bisimulation. All 
proofs 2 are verified in the theorem prover agda [6,36], which is based on intensional 
Martin-L6f Type Theory. 
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1 Introduction 



Martin-L6f type theory [28,34] is a very carefully developed framework for 
constructive mathematics. It is well suited as a theory for program construc- 
tion since it is possible to express both specification and programs within the 
same formalism. Types in Martin-L6f type theory can be seen as program 
specifications via the proposition-as-types interpretation. Inhabitants of these 
types are programs which fulfil the required specification. Running such a 
program means to evaluate an expression. One of the design features of the 
framework is that the evaluation of a well-typed program always terminates. 
Further there is no interaction with the environment. In order to introduce 
interaction into type theory and to allow the non-termination of programs, 
Hancock and Setzer [17,19] introduced the notions of (state dependent) in- 
terfaces and interactive programs. Their approach results in an extension of 
type theory by rules expressing the existence of weakly final coalgebras for the 
functors determined by interfaces. This coalgebraic rules give a comfortable 
way to reason about interactive programs. However coalgebraic types are not 
represented directly in standard type theory. In fact they are classical exam- 
ples of impredicative conceptions whereas Martin-L6f type theory is a strictly 
predicative theory. Predicative type theories play a particular role for giving 
foundational interpretations of programming languages. They have multiple 
mathematical models, notably set theoretic, PER models and denotational 
models, that provide precise definitions of programming language features, 
due to their explicit inductive construction. 

On the other side one has to be careful adding rules to type theory. That this 
may have disastrous consequences can be seen e.g. in Martin-Lof's Mathe- 
matics of Infinity [29] where it is shown that type theory becomes inconsistent 
when the formal laws for the fixed point operator are adjoined to it. 
However in this work we show that it is possible to reason about interac- 
tive programs in standard predicative type theory as long as we replace the 
definitional equality in the rules [17,19] by bisimulation. This is done by con- 
structing final coalgebras for the functors mentioned above. The basic idea 
for this construction is essentially the same as for the model construction in 
Michelbrink/Setzer [33]. However the proof that there is a final coalgebra for 
this kind of functors is surprisingly hard. This is due to the fact that we work 
in intensional type theory, where we have to deal with the problem that types 
depending on propositionally equal elements may not be equal. However un- 
like the extensional version intensional type theory has a number of desirable 
features we do not want to miss: all well-typed expressions normalise and 
well-typedness, type-hood, type-checking as well as definitional equality are 
decidable. 

The theory of types developed by Per Martin-L6f "is intended to be a full scale 
system for formalizing intuitionistic mathematics" [30] . As a foundational the- 
ory it is thought to be open-ended, in the sense that we might extend it by 
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rules for new types provided the informal semantic principles of the theory are 
respected. In this article we work with an extension of Martin-L6f type theory 
that accommodates inductive-recursive definitions. A first example of simul- 
taneous induction-recursion is Martin-Lof 's definition of the first universe a la 
Tarski [28]. The general schema for this kind of definition is introduced and 
investigated by Peter Dybjer [9]. 

The paper is organised as follows. In section 2 we restate the original defi- 
nition of interfaces and programs, try to explain the concept of intensional 
identity, the meaning it has for constructive reasoning and describe the dif- 
ficulties which arise using this concept. We discuss families and predicates 
and how they are related and give a new modified definition of interfaces. In 
section 3 we introduce our category and in the following section 4 the endo- 
functor Prog on this category, for which we are going to show that there is 
a final coalgebra in the category. In section 5 we define a coalgebra for this 
functor, which consist in a family of sets CT, equivalence relations on this sets 
and a morphism elim : CT — > Prog CT. In section 6 we introduce the unique 
morphism. However to prove that the function defined indeed belongs to the 
category and that it is the unique morphism making the coalgebra square com- 
mute we have to do some more work. In section 7 we define the repetition of 
the unique morphism and prove our Main Lemma. The Main Lemma is then 
used to prove that the morphism defined in section 6 belongs to the category 
(is extensional) and is the unique morphism making the diagram commute. 
In section 8 we point out how to get a final coalgebra for the original functor 
of Hancock/Setzer from this. In section 10 we conclude by describing some 
future and related work. 

We use the following notations: t ~> t' for t evaluates to t f , t t' for t, t' eval- 
uate to the same value, A for the type A is inhabited, id : t = t' or id : t =a t' 
for id is an inhabitant of the identity type. We use the notation (x : A) — > B x 
for the product type and sig m 0 : A Q , . . . , m n : A n m 0 . . . m n _! for sigma 
types where the components of a : sig m 0 : A 0 , . . . , m n : A n m 0 . . . m n _i are 
accessed via a mi for i = 0, . . . , n. We denote the canonical elements of the 
sigma types by (a®, . . . , a n ) and abbreviate sig fst : A, snd : B fst by J2{A, B) 
or J2{ x '■ A.B x) to emphasise x. The sentential connectives V, 3, A, V, for 
this type constructors are used in the standard way to emphasise the read- 
ing of types as propositions. We sometimes suppress arguments which can 
be inferred from other arguments for instance we write subst id b instead of 
subst A B a a' id b. We also use the notation _ for missing arguments. We 
use the notations False and True for the type with zero and one canonical ele- 
ment respectively. To improve readability we overload some function symbols 
e.g. st, co. However functions denoted by equal symbols have equal codomains 
whereas the argument types may be different. 
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2 Basic definitions and concepts 



2. 1 Interfaces and interactive programs 

In [17] Hancock and Setzer give the following definition of an interface: 
An interface is a quadruple (S, C, R, n) s.t. 

• S : Set 

• C : S -> Set 

• i? : (s : 5, C s) -> Set 

• n:(s:S,c:Cs,fisc)^S'. 

The elements of the set 5 are called states, C s is the set of commands in 

state s : S, R s c the set of responses to a command c : C s in state s : S, and 

n s c r the next state of the system after this interaction. 

A program for this interface starting in state s : 5 is a quadruple (A, c, next, a) 

s.t. 

• A : 5 -> Set 

• next : (s : S, a : 4 s,r : E s (c s a)) -* A (n s (c s a) r) 

• a : A s. 

The elements of the set A s are understood as programs starting in the state 
s. The command c s a is the command issued by the program a : A s, and 
next s a r is the program that will be executed, after having obtained for 
command c s a the response r : R s (c s a). The execution of a program 
a : A s proceeds as follows. First we compute c s a and issue this command. 
Then we wait for a response r : R s (c s a) from the real world. When we 
have obtained a response r we compute the new program next s a r. This 
cycle is repeated until we reach a command c with no responses. It may be 
undecidable if this is the case. It should also be noted that a program may 
wait forever for a response. See [17] for further motivations. 
Note that in the definition above programs are given by arbitrary families of 
sets A : S — > Set. That means the whole range of sets can be used to introduce 
elements into the set of all programs. In particular the set of programs itself 
may be used. This is a violation of the vicious-circle principle: impredicative 
definitions should not be used. That is, an object should not be defined in 
terms of a totality to which the object itself belongs. In other words no totality 
can contain members defined in terms of itself. The vicious-circle principle is 
taken very seriously in Martin-L6f type theory. 

If we combine c s a and next s a we get an element of Prog HS A s := XX c : 
C s.(r : R s c) — > A (n s c r)). Since there is no way to get the set of all 
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programs directly in a predicative framework, Hancock and Setzer expanded 
Martin-L6f type theory. This results in a type theory where the adjoined rules 
express the existence of a (weakly) final coalgebra for the functor Prog HS . 
We are going to show that under certain assumptions on the sets of states and 
commands the existence of this set of programs can be proved in ordinary type 
theory The proof is surprisingly hard. The reason for this is that we work in 
intensional type theory. 

2.2 Intensional Identity 

Under the proposition-as-types interpretation, propositions are nothing other 
than types. That a proposition is true means that the type is inhabited. In 
order to have an internal representation of equality identity types are intro- 
duced. The main purpose of this identity types is to be able to make the 
assumption that two objects of a type are identical, i.e. to express identity 
of objects on the left side of an implication. Martin-Lof's type theory can be 
formulated on top of a theory of logical types (logical framework) [34]. This 
is a typed A/3?7-cal cuius with dependent function types, a special type Set and 
a rule which states that each object of Set is also a type. Sets are given by 
formation, introduction, elimination and equality rules. The formation rules 
say how to build sets, the introduction rules say what the canonical elements 
of the set are. Elimination and equality rules say how to eliminate set formers. 
{3- and ^-conversion together with the equality rules give definitional equality. 
There are two main versions of Martin-L6f type theory: extensional and in- 
tensional type theory. The difference lies in the treatment of the identity type. 
In both versions the formation and introduction rules of the identity type are 
the same: 



The difference is in the elimination and equality rules for the identity type. 
The elimination rules in extensional type theory identify propositional and 
definitional identity: 



This renders type-theory undecidable, i.e. well-typedness, type-checking, type- 
hood and definitional equality become undecidable [22]. This is in contrast to 
intensional type theory. There is a deep symmetry between the introduction 
rules on the one side and the elimination and equality rules on the other side in 
intensional type theory. The elimination rules for all sets can be understood 
as structural induction rules: A proposition is true for all elements iff the 



A : Set a,b : A 
a =a b : Set 



A : Set a: A 
refl a : a =a a 



p:a= A b 
a = b: A 
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proposition is true for the canonical elements of the set. In fact elimination 
and equality rules can be calculated from the introduction rules [8]. This holds 
as well for the identity type: 

C : (x,y: A,p : x = A y) Set 
c : (x : A) ^ C x x (refl x) a,b : A p : a =a b 

idpeel Ccabp: Cabp 

with equality idpeel C c a a (refl a) = c a. Surprisingly this very weak elimi- 
nation rule allows to deduce the usual properties of equality, notably Leibniz' 
principle (C a implies C b for a = b). However working with intensional 
identity becomes very awkward. The reason for this is that propositional and 
definitional equality do not collapse. That is, two instances of a type family 
with indices which are not convertible, just propositionally equal, are not the 
same type, i.e. c : C a is in general not an element of C b if a equals b, though 
if p : a = b and c : C a we get an element subst p c : C b. The trouble is that 
this element depends on the proof p and there is no general way to conclude 
that subst p c equals subst q c for p, q : a = b. 

We frequently use the following well known (and easy to prove) principles: 
Principle 1 

a 0 = a,i => fa 0 = fai 
for A, B : Set, / : A -> B, a 0 , a x : A. 

Principle 2 

(a 0 , b 0 ) =Yl(A,B) (°i> °i) ^ a o =a Oi A b 0 =B ai h 

for A : Set, B : A — > Set, aj : A, bi : B { , i — 0, 1 and 6 0 obtained from b 0 by the 
inhabitant of a 0 = a\. 

2. 3 Families and predicates 

What makes type theory into dependent type theory is that types may depend 
on elements of other types. A family of sets is given by a set IndexP and 
a function P : IndexP — >• Set. The function P may as well be seen as a 
predicate on IndexP. On the other hand it is often technically simpler to 
work with a more fibrat ion- like view of families: A family is given by two sets 
CoIndexF, IndexF and a function F : CoIndexF — > IndexF. We call the 
former predicate and the latter family. It is possible to switch between these 
notions in the following ways: From predicate P to family F (pr 0 denotes the 
first projection): 
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CoIndexF := ^(IndexP, P) 
Index F : = Index P 

F := pr 0 : ^(IndexP, P) — > IndexP. 

From family F to predicate P define IndexP := Index F and let P i be given 
by the following rules: 

Formation Introduction Elimination 

i : IndexF c' : P i 
i : IndexF c : CoIndexF B : (i : IndexF, d : P i) -> Set 

P i : Set intro c : P (F c) b : (c : CoIndexF) -> P (F c) (intro c) 

elim B b i c' : Bid 

where elim B b (F c) (intro c) evaluates to 6 c. Note that the latter gives 
exactly the rules for intensional identity if we take as family A : A ^ A x A 
with A a := (a, a). We write PredToFam P and FamToPred F for the predicate 
respectively family we gain by the way above. Intuitively we can think about 
FamToPred F as the pre-image function F _1 . 

We say that / : A — > P is a bijection iff there is a <? : P — > A such that 
a = (g(f a)) and 6 = (f(g b)) are inhabited for all a : A, b : B. We write 
A ~ B iff there is such a bijection. It is easy to establish the following bijec- 
tions: 

P i ~ FamToPred (PredToFam P) i 
iso : CoIndexF ~ (PredToFam (FamToPred P))coindexF- 

In the second case the functions pr 0 o iso = (PredToFam (FamToPred P)) o iso 
and P are pointwise equal. 

There is a second approach to get a predicate P from a family P. This approach 
uses the identity set: Define IndexP := IndexF and 

P i ■= J2(c : CoIndexF, (P c) = i) 

for i : IndexF. We write FamToPred' P for this predicate. Again it is not too 
hard to establish the following bijections: 

P i ~ FamToPred' (PredToFam P) i 

iso : CoIndexF ~ (PredToFam (FamToPred' P))coindexF 

and to prove that in the second case the functions pr 0 o iso = 
(PredToFam (FamToPred' P)) o iso and P are pointwise equal. Note that the 
index set stays the same all the time and that 

FamToPred (PredToFam P) i ~ FamToPred' (PredToFam P) i 
(PredToFam (FamToPred P))coindex — (PredToFam (FamToPred' P))coindexF- 
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This is a little bit remarkable since the second approach seems to multiply 
elements due to the fact that there may be more than one inhabitant of (F c) = 
i. The phenomenon is related to the fact that we can prove 

Collapse ^2(a : A, a = a') 

for a' : A but in general not 

Collapse (a = a') 

for a, a' : A where Collapse A is Va, a' : A. a = a'. 

2.4 A simpler definition of interfaces 

What makes work with the interface definition above clumsy is that there are 
too many dependencies. The commands depend on the states, the responses on 
the commands and the next state on the state, the command and the response. 
This seems to be redundant since the information to which state a command 
belongs should already be given by the command itself and similarly for the 
responses and the next state. Hence the responses should depend only on the 
command and the next state on the response. The way to achieve this is to 
work with families instead of predicates: 

Definition 3 Interface 

An interface is given by sets S, C, R and functions st : C — > S 7 co : R — > C, 
nxt : R -> S. 

Given an interface (S,C,R,n) in the sense of Hancock/Setzer we get an in- 
terface in the new sense by 

st := PredToFam C 
co : = PredToFam R' 

and setting 

nxt(((s, c), r)) := n s c r 

where R' is the uncurried version of R. The altered definition determines a 
functor (see section 4 below). We are going to prove that this functor has 
a final coalgebra and use this result to get a final coalgebra for the original 
functor of Hancock/Setzer above. However we have not succeeded to prove the 
result in its most general form for arbitrary sets S, C. In order for the proof to 
go through we need a principle known as uniqueness of identity proofs on the 
sets S, C. This principle states that all the inhabitants of a = a' are identical, 
that is 

Va, a' : A. Collapse (a = a'). 
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We write UIP A for Va, a' : A Collapse (a = a'). As shown by Martin Hofmann 
[21,22] UIP A is not provable for arbitrary sets A. However it is provable for 
the enumeration types, the natural number type and preserved by the identity 
type and the sum type constructors [21], that is 

UIP A =>- Va, a : AUIP (a = A a') 

and 

UIP A =>- (Va : AUIP B a) ^ UIP ^(A, B). 
More general UIP A follows from decidability of identity [20] that is 

Va, a : A (a =a a') V (a ^ A o!) 

which is also preserved by the sum type constructor. Streicher [41] noticed 
that UIP A is provable if in the elimination rules for the identity type above 
the type of C is changed from (x,y : A,p : x =a y) — *• Set to (x : A,p : x =a 
x) — > Set. Using this elimination rule is equivalent to pattern matching [31], 
which therefore proves UIP as well. However in this cases elimination can not 
be justified as structural induction. In the following we assume UIP for the 
sets S and C. 



3 The category of S-indexed families of setoids 

We are going to define the category of S-indexed families of setoids. The 
ambient category of setoids is a model of intensional type theory [21]. The set 
of states S determines the following (presheaf-) category: 
Objects are triples 

X : S -> Set 

=x- (s : S,X s,X s) -> Set 

eq x : (s : S) — > equivalence (= x s) 

where equivalence R says that R is an equivalence (reflexive, transitive, sym- 
metric) relation. 

We use the notations =, =x and = s for the binary relation (s : S) 

=x s C X s x X s. 

We say = X - (s : S) — > X s — > X s — > Set is an equivalence relation iff all 
relations = S C X s x X s are equivalence relations. Morphism / : (X, = x 
, eq x ) — > (Y, =y , eq y ) are given by a family of S-indexed extensional functions 
in the sense that 

f : (s :S) ^ X s s 

and 

x =x x' f s x =y f s x' 
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for s : S, x, x' : X s. We use the same notation for the morphism and the 
function /. If we want to emphasise the relations =x, =y we sometimes say 
that / is (=x, =y)-extensional. We identify /, g : (X, = x , eq x ) — ¥ (Y, =y, eq y ) 
iff 

x = x x' =>- f s x =y g s x' 

for all s : S, x, x' : X s. 

It is easily verified that this gives a category. 
4 The Endofunctor Prog 

The interface (S, C, R, st, co, nxt) determines the endofunctor Prog given by 

Prog X s : Set 
= sig command : C 
id c S 0 : (st c) = s 

next E | : (r : R, (co r) = c) — > X(nxt r) 
for X : S — > Set with equivalence relation 

Prog = x s (c 0 ,ids 0 ,f 0 ) (c 1 ,ids 1 ,f 1 ) : Set 
= sig idc : c 0 = C\ 

fct : (r : R, idcr : (co r) = c 0 ) — > /o r irfcr =( nx t r) /i ^ idcr' 

where idcr' := subst idc idcr. We use the notation =p rog for this relation. By 
some simple calculations it follows that =p r0 g is an equivalence relation if = is 
an equivalence relation. We allow some abuse of notations. Prog takes a family 
of sets X : S — > Set, an equivalence relation = x on X and a witness for the 
fact that =x is an equivalence relation and gives a triple consisting of a family 
of sets Prog X : S — > Set an equivalence relation Prog =x on Prog X and a 
corresponding witness. 

The morphism part of the functor Prog is given by 

Prog g s : Prog X s — > Prog F s 

Prog (/ s (c, ids, f) = (c, ids, Ar : R, icfc : (co r) = c. g (nxt r) (/ r idc)) 

If <? is extensional then Prog g is extensional too. To see this, let 

(co,ids 0 ,f 0 ) = Prog (ci,idsi,/i) 3 . 
3 Remember that this means that the type is inhabited. 
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Then we have idc : Co = c\. Let r : R and idcr : (co r) = Co. We have 

f 0 r idcr = (nxt r) /i r idcr' 

where idcr' is obtained from icfcr by idc. We must show that 

g (nxt r) (/ 0 r idcr) =( nx tr) # (nxt r) (/i r idcr'). 

But this follows by the extensionality of g. 

The defining properties for a functor are easily verified. 



5 The coalgebra of computation trees 

A possible first approach 4 to construct a final coalgebra representing the 
programs of Hancock/Setzer might be to work in the category of setoids 
[21,11]. The final coalgebra for the functor Prog ought to be defined by means 
of the set (List R) — > C together with an appropriate equivalence relation. 
Given a morphism g : B — > Prog B the idea is now to define an element 
tree 9jb : (List R) — > C for b : B by 

lb) command 

(g ^command if CO T = trCCg )b I 

some "junk" otherwise 

where b' has to be defined simultaneously by means of (<?-) n ext E r However 
this approach does not work. The reason is that we do not have c = d V 
c ^ d for c, d : C in general, i.e. identity on C must not be decidable. As a 
consequence we can not define tree g ^ by case distinction as above. Instead we 
have to prove our envisaged result by doing it the hard way 5 : We are going to 
define the object of the final coalgebra as a set of trees containing exactly the 
information a program needs to have. These trees are represented by functions 
on dependent lists of states, commands and responses into a universe. We start 
by defining the set of lists: 

Definition 4 Elements of CTSeq s for s : S are either of the form 

(c, ids) 



4 One of the referees of this paper suggested to explore this idea. 

5 "... the dwarfs found out how to turn lead into gold by doing it the hard way. 
The difference between that and the easy way is that the hard way works." Terry 
Pratchett, The Truth, 2000. 



tree 9tb () := 
tree gt b (l,r) := 
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where c : C and ids : st c = s, or of the form 

(I, r, idc, c, ids) 

where I : CTSeq s, r : R, idc : co r = co A, c : C, ids : st c = nxt r and co A 
denotes the last command of the sequence I, i.e. 

co _ (c, ids) = co _ (I, r, icfc, c, ids) = c. 

Note that we have to define the function co mutually with the sets CTSeq s, 
i.e. the definition is by induction-recursion [9]. The idea here is that a list 
represents an initial part of a possible program execution. The identities ensure 
that the list is accurate for the interface. We need some auxiliary notions: 

Definition 5 (Last state, Predecessor) 

We denote the last state of the sequence I : CTSeq s by st A, i.e. st_(c, ids) := 
s, st A[l,r, idc, c, ids) := nxt r. We denote the modified predecessor of the se- 
quence I by pd A, i.e. pd _ (c, ids) := (c, ids), pd _ (I, r, idc, c, ids) := I. 

Definition 6 (Append) 
We define mutually 

lo * (r, idc) * l\ : CTSeq s 

and an inhabitant of 

co Ai = co _ (l 0 * (r, idc) * /i) (1) 
/or s : S ; Z 0 : CTSeq s 7 r : R 7 irfc : cor = co _/ 0 , Zi : CTSeq (nxt r) fo/ 

Zo * (r, idc) * (c, ids) := (Iq, r, idc, c, ids) 
lo -k (r, idc) * (I, r' , idc, c, ids) := ((lo * (r, idc) * l),r', idc" , c, ids) 

where we obtain idc" from idc' by the inhabitant of 1 which is defined as refl c 
in both cases. 

Note that definition by cases is necessary in the definition of the inhabitant 
of 1 since otherwise the terms would not evaluate. 

Proposition 7 (Associativity of append) 

lo * (r 0 , idc 0 ) * (h * (n, idc±) * l 2 ) = (l 0 * (r 0 , idc 0 ) * h) * (r 1 , idc[) * l 2 

where idc[ is obtained from idc\ by the inhabitant of 

co A\ = co _ (l 0 * (r 0 , idc 0 ) * h) 

due to 1. 



12 



Proof: Induction on l 2 . If h ~> (c,ids) both sides of the equation evaluate to 
the same value. Let l 2 ^ (I, r, idc, c, ids). 
Let Ci := co _Zi, c[ := co _ (l 0 * (r 0 , irfc 0 ) * Zi). 

Let Z| e / t := / 0 * (r 0 , icfc 0 ) * (Zi * (n, idci) * Z) and l right := (Z 0 * (r 0 , idc 0 ) * Zi) * 
(ri, idci) * Z. By I.H. we have 

2C?Z : heft = bright. 

Let q := co_ Z, := co_(Zi*(ri, idc^-kl), c left : = co _Z; e /t, := co A right . 

We have inhabitants of 

C ' = C Z C Z = C left c l — Cright 

by which we obtain inhabitants 

idc\ : co r = c'i idci e f t : co r = a e f t idc ri g h t : co r = c rig ht 
from idc. By idl we obtain a second inhabitant 

idc right : co r = c r i g ht 
from idci e ft and with UIP C we conclude that idc' right = idc rig ht and 

(heft, idci e f t ) = (l r i g ht, idc right ) (2) 
by Principle 2. Now l 0 * (r 0 , idco) * (Zi * (ri icfci) * Z 2 ) evaluates to 

(heft,r, idcieft, c, ids) 
and (Z 0 * (ro, idco) * Zi) * (ri, irfc^) * Z 2 to 

(bright, T, idc r i g ht, C, ids) . 

The claim follows by 2 with Principle 1. □ 



Remark: Note that to conclude that 2 holds, we have to prove that idc' right 
equals idc r i g ht- We obtained idc' right from idc\ e ft by shifting it along idl. Since 
we know nothing 6 about idl (we got idl from the I.H.) we know nothing about 
idd right . So to force the needed equality we apply UIP C. 

Corollary 8 

(c, ids 0 ) -k (r, idc) * Z = (c, idsi) * (r, idc) * Z 
/or ids 0 , icis! : (st c) = s. 

Proof: With UIP S. □ 



At least we do not know if types depending on idl are inhabited. 



13 



Corollary 9 

(co, idso) * (r, idc) * I = (ci, ids\) * (r, icfc') * I 
for id : c 0 = Ci, irfsj : (st q) = s (« = 0, 1) and idc' = subst id idc. 
Proof: Case id = refl c. □ 

We are going to define a universe U. The definition is by induction- recursion 
[9]. The universe U is a relatively small universe. It contains names for the 
sets S, C, R and is closed only under the identity and sigma type formers. For 
the general role of universes in type theory and the proof theoretic strength 
gained by (much larger) universes compare [35,40]. 

Definition 10 (Universe) 
We define mutually 

U : Set 

= data NameS | NameC | NameR | 

Nameld (u : U)(ei, e 2 : set u) \ NameSig (u : U)(/ : (e : set u) — > U) 

and 

set(it : U) : Set 
by 

set NameS = S 

set NameC = C 

set NameR = R 

set (Nameld u e 1 e 2 ) = (e 1 =( setu ) e 2 ) 
set (NameSig u f) = XX e : (set u).(set (f e))) 
PFe write NldC for Nameld NameC. 

We want to define computation trees as functions T : CTSeq s — > U with the 
following properties: 

(1) There is exactly one root c : C for the tree. 

(2) For every / : CTSeq s which is a node of the tree and for every r : R suit- 
able for I there is exactly one successor, i.e. one c such that (/, r, idc, c, ids) 
is a node of the tree. 

(3) For every I : CTSeq s which is a node of the tree the predecessor of I is a 
node of the tree too. 
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Where a list / is a node of the tree if set (T Z) is inhabited and r : R is suitable 
for Z if cor = co_l. Technically a computation tree will be a dependent tuple 
of a function T together with a witness that the function fulfills the properties 
above (Definition 12). The properties are expressed by sigma types (Definition 
11). We formalise this ideas as follows: 

Definition 11 Fors:S,T: CTSeq s -> U let $i s T be 
sig root : C 

id^ D : st root = s 

root ex : set (T(root, idf Q )) 

root un i : Vc : C,idsc : st c = s. set (T (c, idsc)) c = root 

For s : S, T : CTSeq s — > U ; / : CTSeq s, e : set (T Z) ; r : R and 

idcr : co r = (co _/) let § 2 s T I e r idcr be 

sig command : C 

idj? 0 : st command = nxt r 

command ex : set (T(i, r, idcr, command, id^J) 

commanduni : Vc : C, idsc : st c = nxt r. set (T (/, r, idcr, c, idsc)) =^ 

c = command 

For s : S, T : CTSeq s -> U, Z : CTSeq s and e : set (T Z) let <5> 3 s T I e 
be 



set (T (pd J)) 

Let® sT be ($i s T) A ($ 2 s T) A ($ 3 s T). 

Note the natural way in which we make use of dependent types in this def- 
inition: We quantify in $ only about those Z which are nodes of the tree T: 
argument e : set (T Z) in $ x and $ 2 - This will play an important role later. 
We are now able to define the family of sets in the object part of the final 
coalgebra: 

Definition 12 (Computation trees) 



CT (s : S) : Set 
= sig tree : CTSeq s — > U 
phi : $ s tree 
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Before we define an equivalence relation on this family we declare the mor- 
phism of the final coalgebra. We single out the command of each tree by using 
the witness for the property $1. 

Definition 13 (Command of a computation tree) 
For ct : CT s : with ct ph \ ~> (ipx, ip 2 , <Pz) 



co_ct :=(p ln 
idco- ci: =V^i 



The program that we obtain after doing one computation step and receiving 
a response r is represented by the subtree at branch r. A subtree is given by 
taking the tree function on another position. The argument is constructed by 
means of the append function on lists. 

Definition 14 (elim tree ) 

For ct : CT s, r : R and idc : co r = co _ct let 

elim tree s ct r idc : CTSeq (nxt r) — > U 

given by 

XI : CTSeq (nxt r) . (ct tree ((c, ids) * (r, idc) 
where c = co _ct and ids = id^ Q _ct. 

We need to prove that the defined function has the properties $i-$ 3 . 
Proposition 15 For ct : CT s, r : R and icfc : (co r) = (co_ct) 

$x (nxt r) (elim tree s ct r idc). 



Proof: Let c = co.ct and ids = id^ 0 _ct. The inhabitant of $i s ct tr ee gives an 
inhabitant e : set(ct tre e s (c, ids)). The inhabitant of $2 s ct tree (c, ids) e r idc 
proves the claim. □ 

Proposition 16 For ct : CT s, r : R and idc : (co r) = (co_ct) 

$2 (nxt r) (elim tree s ct r idc). 



Proof: Let / : CTSeq (nxt r), e : set (elim tree s ct r idc I), r' : R, idc' : 
(co r') = {co A). Let c = co_ct and ids = id^ Q _ct. By 1 we get an inhabitant 
idc" : (co r') = (co_((c, ids) * (r, idc) * /) from idc' and the inhabitant of 
$2 s ct tree ((c, ids) ★ (r, idc) *l) er' idc" proves the claim. □ 
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Proposition 17 For ct : CT s, r : R and idc : (co r) = (co_ct) 

$ 3 (nxt r) (elim tree s ct r idc). 

Proof: Induction on I : CTSeq (nxt r). □ 

The morphism part of the final coalgebra is now given by: 

Definition 18 (elim) 
For ct : CT s we define 

elim s ct : Prog s CT 

by 

(co_ct, id^ G _ct, nextEi) 
where nextEi t idc : CT (nxt r) is given by elim tree s ct r idc and Propositions 
15-17 for r : R and idc : (co r) = (co _ct). 

We write nextEi -d for (elim -ct) ne xt E r 
5. 1 Bisimulation 

We still need to define an equivalence relation on CT. The function elim gives 
a labelled transition system. There is a transition r : R between trees T 0 and 
Ti if 7\ is the subtree of T 0 at branch r. Since this transition system is image 
finite we can define bisimulation by means of natural induction. 

Definition 19 (Bisimulation) 
For ct, ct' : CT s, n : N we define 

ct ~ n ct' : Set 

by 

True 

sig idc : c = d 

fct : (r : R, idcr : (co r) = c) — > / r icfcr ~„ /' r icfcr' 



ct ~ ct' : Set 

= Vn : N. ct ~„ ct' 



ct ~ zero ct 



ct ~ ct' 



and 



17 



where elim s ct ~> (c,idc,f), elim s ci' ~> (c',idc',f) and idcr' is obtained 
from idcr by idc. 

Proposition 20 ~ is an equivalence relation on CT. 

Proof: Straight forward. □ 
Proposition 21 

ct ~ ct' elim s ct ~p rog elim s ct' 

for ct, ct' : CT s. 

Proof: "=>•" Follows with UIP C. 

"<^" Trivial. □ 
Corollary 22 elim : CT — > Prog CT is extensional. 

This means that elim is a coalgebra morphism. We are going to prove, that 
elim : CT — > Prog CT is a final coalgebra for Prog. 



6 The unique morphism T into the final coalgebra 



Let B : S — > Set and g : (s : S, B s) — > Prog 5 s. We keep fixed for 
the rest of the article. We write co_fe, id^ Q _6 and nextEi s b for (g s 6) C ommand, 
(g s 6) id s , s 6)next E | respectively where b : B s. We must find a unique 
morphism T : B — > CT with elim o T = Prog Tog, i.e. elim s (T s 6) ~p ro g 
(Prog T) s (g s b) for s : S, b : I? s. We get T by defining mutually the function 
value T tree s b I : U for I : CTSeq s and an element of B (nxt r) for those / 
which are nodes of T tree s b where r is a response of co_Z. This element is 
essentially the element which we get if we follow g along the responses which 
occur in I including r. The list (c, ids) is a node of the tree T tree s b if c is the 
command played by g at b, i.e. (co_6) = c. The list (l,r, _, c, _) is a node of 
the tree T tree s b if Z is a node of T tree s b and c is the command played by g at 
the element of B (nxt r) described above. Things again become quite involved 
since we have to shift the identities to meet the typing requirements. 

Definition 23 We define mutually 

T tree s b I : U 

and 

A sbl r idc e : B (nxt r) 
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for s : S 7 b : B s, I : CTSeq s, r : R, idc : co r = co _l and e : set (T tree s b I) by 

T tree s b (c, ids) := NldC c (co_o) 
Ttree s 6 (I' , r' , idc' , c, ids) := NameSig (T tree s 6 l')(Xe : set(T tree s 6 I'). NldC c (c' 

where c'e:=co_(As&l'r' idc' e) and 

A s b (c, ids) r idc e := nextEi s b r idee 
A s b (/', r', idc' , c, ids) r idc e := nextEi (nxt r') b' r idc" 

where in the first case idee is the composition of idc and e, and in the second 
case b' :— A s b I' r' idc' ef st; e sn d : c = (co and idc" := subst e snc | idc. 

We lift UlPCto set(T tree s6/): 

Proposition 24 

Vp, g : set(T tree s b I) p = q 
for s : S, b : B s, I : CTSeq s. 

Proof: If I ~> (c,ids) this is UIP C. 

Let / ~> (I', r, idc, c, ids), p,q : set(T tree s 6 /) with p (p',idcp) and g ~> 
(q',idcq). We have id : p' = S et(Tsb/') by I.H. and idep' = ideq by UIP C 
where we obtain idep' from idep by id. This proves the claim. □ 

Corollary 25 

A s b I r idc p = A s b I r idc q 

for s : S ; b : B s, I : CTSeq s, r : R, idc : (cor) = (co_/) and p,q : 
set (T tree s b I). 

Proof: Immediate from 24. □ 

The following three propositions state that T tree s b is indeed an element of 
CT, i.e. that T tree s b fulfils the properties $i — <3> 3 . 

Proposition 26 For s : S, b : B s 

$i s (T tree s b). 

Proof: The following term proves the claim: 

(co_6, idf Q fo, refl (co _&), root uniT ) 

where root uniT c idsc p := p for c : C, idsc : (st c) = s and p : set(T tree s b (c, idsc)) 

□ 
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Proposition 27 For s : S, b : B s 

$ 2 s (T tree s b). 



Proof: Let / : CTSeq s, p : set (T tree s b I), r : R, idcr : (co r) = (co_Z). 

For x : set(T tree s b I) let b' x := A s b I r idcr x, d x := co_(b' x) and 

ids' x := id^ D _ (b' x). The following term proves the claim 



(c p, ids' p, (p, refl c' p), command 



unix / 



where command uniT c idsc q := subst id g snc j and id : qf st = p the inhabitant 
according to Proposition 24 for c : C, idsc : stc = nxtr and q : set(T tree s b (1* 

(r, idcr) * (c, idsc))). □ 

Proposition 28 For s : S ; 6 : 5 s 

$ 3 s (T tree s b). 



Proof: Obvious 

Definition 29 Let T(s : S)(6 : B s) : CT s be 

(T tree s b, T phi s 6) 
where T p w, s b is given by the Propositions 26 - 28. 
We postpone the proof that T is extensional. 

7 The Repetition of the unique morphism T 



□ 



We want to prove that T is the unique morphism making the coalgebra square 
below commute. 



B 



9 



i 

CT 



elim 



Prog B 

ProgT 
Prog CT 



That means we have to prove 

b 0 = bi =>- (Prog T o g) _b 0 ~ (elim o T) _bi 
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for s : S and bo, b\ : B s, where = denotes the equivalence relation on B. We 
have 



ct 0 ~ 



n 



cti -v^ co _ ct 0 = co _ ct\ and 

nextEi - do r 0 idcr 0 ~ n _i nextEi _cii r 0 icfcrg 
44> . . . and 

nextEi - (nextEi - do r o idcr 0 ) r\ idcr\ ~„_2 
nextEi - (nextEi - d\ r 0 idcr' Q ) r\ idcr[ 



for do, cti : CT s. This observation leads to the definition of the repetition 
T Re p of T which we use in the following to prove the coalgebra property. We 
define the repetition T Rep of T for every sequence / : CTSeq s which belongs 
to T tree s b. Essentially this will be the subtree of T tree which we get when we 
follow the tree along the path /. We want to define this by recursion on /. Again 
this can not be done in a straight forward way, since the elements we get by 
the induction hypothesis do not have the desired type. That means we have 
to shift them along certain identities which must be defined simultaneously. 
Therefore we define mutually 



where s : S, b : B s, I : CTSeq s, p : set(T tree s b I), I' : CTSeq(st_/) and 



T Rep sbl p: CT(st_/) 



and identities 



co_/= c co_(T Re p sbl p) 
(T Rep s b I p) tree I' =u T tree s b (10) 



(3) 
(4) 



(c,ids)#l' :=l' 
(lo, r, idc, c, ids)#l' := (Iq * (r, idc) * I'). 



The second identity (in U) is needed to prove the first one (in C). 



Definition 30 (Repetition ofT) 
We define mutually 



J Rep (s:S)(b:Bs)(l:CJSeq s)(p 
by 



set(T tree sbl)): CT (st J) 



T Rep s b (c, ids) p = T s b 

T Rep s b (V r idc c ids) p = nextEi 



(T Rep sbl' p') r idc' 
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where p' = y?3 s b I p, ip 3 : $ 3 s (T tree s b) as in Proposition 28 and idc' 
obtained from idc by the identity 3. 
We define an inhabitant of 

co _ Z = co _ (T Rep s bl p) 

by 

p if I — (c, ids) 

Viroot uni c ids p' if I = (I' ,r,idc,c,ids) 

where ipi : $1 -(Tr 6P s b I p) as given by Proposition 26 and p' obtained from 
p by the identity 4- 

To complete the definition we must define an inhabitant of 

(T Rep s b I p) tree 1' = T tree s b (/#/') 

for s : S, b : B s, I : CTSeq s, p : set(T s b I) and I' : CTSeq (st_Z). 

In the case I ~> (c, ids) an inhabitant of this type is given by 

refl (T tree s b (Z#Z')) 

since both sides of the equation evaluate to the same value. 
For I ~> (Iq, r, idc, c, ids) let p' as above, 



so 




St J 0 






co_(T Rep s b l 0 p), 


idcsi 0 




id co ( T Rep Sblop), 


sl 0 




(ci 0 ,idcsi 0 ), 


sli 




(c 0 ,idcs 0 ), 



where l 0 — (. . . , c 0 , idcs 0 ) and idc' obtained from idc by the identity 3. Let 

left = (TR ep S b lo p')tree (sl 0 * (r, idc) ~k V) 

middle = T tree s b (/o#( s ^o * ( r > idc 1 ) * I')) 
right = T tree s b (Z 0 * (r, irfc) ★ Z'). 

We must prove left = right. We have sl 0 * (r, idc') * I' = sli ★ (r, irfc) * I' by 
Corollary 9 and by I.E. 

left = middle. 

If ~* ( c o ? idcso) then 

middle = right 
by Principle 1 and we are done. 
If lo ^ (h, r o,idcr 0 ,Co,idcso) then 
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h * (ro, idcr 0 ) * (sZ 0 * (r, icfc) * I') = l ± * (r 0 , idcr 0 ) * (sli * (r, idc) * I') 

= (li -k (r 0 , idcr 0 ) * s/x) * (r, icfc') * f 
= Z 0 * (r, icfc') * /' 

where the first equation follows by Principle 1 and the second by the associa- 
tivity of*. Principle 1 gives 

middle = right 

and we are done again. 

Remark: Note that we could define the repetition of ct for arbitrary ct : CT s. 
Therefore we can proceed in a similiar way as above. We just need to replace 
p by v^iroot c ids p in the first case of the construction of the inhabitant of 
the identity 3 where ipi is the witness for $i s ct. However since this greater 
generality has no particular advantage for us we work with the definition 
above. 

As a corollary to Proposition 24 we get: 
Corollary 31 

T Rep sbl p = T Rep sbl q 

forp,q : T tree sbl. 

We need some auxiliary definitions. Let 

nxtS s (c, ids) r := nxt r 
nxtS s (/', r', idc, c, ids) r := nxtS s I' r' 

pred s (c', ids') r idc c ids := (c, ids) 

pred s (/', r', idc', d , ids') r idc c ids := ((pred s I' r' idc' c' ids'),r, idcr, c, ids) 
where idcr is obtained from idc by the simultaneously defined inhabitant of 

c = co _ (pred s I r idc c ids) (5) 

which is given in both cases by refl c. Note that definition by cases is neces- 
sary again to define this inhabitant. The operation pred _ /_ cuts off the first 
command and response of the list /. Since this is only possible for lists of the 
form (/' , r' , idc' , c' , ids') we use the auxiliary arguments r, idc, c and ids. The 
obtained list is an inhabitant of CTSeq (nxtS sir). Further we define an 
inhabitant of B (nxtS s I r) by 

nexte s (c', ids') r idc c ids b (ido, idi) := A s b (c', ids') r idc ido 
nexte s (/', r', idc', c', ids') r idc c ids b (p', idi) := nexte s I' r' idc' d ids' b p' 
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where b : B s and p : set (T tree s b (l,r,idc,c,ids)) for p (id 0 ,idi), 
p ~> (p',idi) and Z ~> (c',ids'), I ~> (l',r',idc',c',ids') respectively. The in- 
habitant nexte _ Z r _ is calculated by doing essentially only the first step in 
the calculation of A _ I r _. Whereas A _ I r _ gives us an element of B (nxt r) 
by following all responses in I including r, nexte - I r _ is doing only the first 
step. The following Proposition states that we get equal elements in B (nxt r 0 ) 
whether we apply A on b and a sequence (/, r, icfcr, c, idsc) or do one step from 
b along this sequence and use the sequence obtained from (/, r, idcr, c, idsc) by 
pred above. 

Proposition 32 For s : S, I : CTSeq s, r, r 0 : R 7 c : C ; b : B s, 

idcr : co r = co _ / 
idsc : st c = nxt r 
idcro : co r 0 = c 

p : set (T tree s b (/, r, irfcr, c, idsc)), q : set (T tree s n 6 n Z p ) where 
s n = nxtS s / r 

6 n = nexte s / r idcr c idsc b p 
l p = pred s I r idcr c idsc 

we have 

A s b (l,r, idcr, c, idsc) r 0 idcro p = A s n b n l p r 0 idcr' 0 q 
where idcr' 0 is obtained from idcro by the identity 5. 
Proof: Case I ~> (c',ids), p^> (id 0 ,idi). 

Then icicrp evaluates to idcr 0 . Let irfcri, idcr 2 obtained from idcro by id\, q 
respectively. By U IP C we have 

idcr\ = idcr 2 

and by Principle 1 we get 

A s b ((c', ids),r, idcr, c, idsc) r 0 idcro (ido, id\) = f idcr\ 

= f idcr 2 

= A s n b n l p r 0 idcr 0 q 

where / = (g (nxt r) ((<? s &)next E , r 2dcr')) nextEI r 0 and idcr' obtained from idcr 
by id 0 . 

Case / ~> (/', r', idc', c', ids), p ~> (p', idi), g ~> (g', id 2 ). 
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Then again idcr' Q evaluates to idcr 0 . We define 

f : (x : B (nxt r)) -> JdC a: -> 5 (nxt r 0 ) 

where JrfC x := ((co r 0 ) = (co_x)) by 

/ x y = (g (nxt r) x) nextEI r 0 y 

for rr : 5 (nxt r), y : IdC x. 
By I.H. we have 

ih : A s b (I', r', icfc', c', ids) r idcr p = A s' n b' n I' r idcr 2 q 
=: left J) = : right J) 

where idcr 2 is obtained from idcr by identity 5 and 



s'„ := nxtS s 1' r' 



I 



nexte s V r' idcr' d ids b p' 
pred s I 1 r' idcr' d ids. 



p 

Let idcr i, idcr 3 obtained from idcr 0 by id 1 , id 2 respectively. By UIP C we get 

subst ih idcr\ = idcr 3 . 

That means 

(left J), idcr \) = (right Jb, idcr 3 ) 
and by Principle 1 we get 

A s b (l,r, idcr, c, idsc) r 0 idcr 0 p = f left J) idcr\ 

= f right-b idcr% 
= A s n b n l p r 0 idcr' 0 q 



□ 



Corollary 33 

co _ (A s b (I, r, idcr, c, idsc) r 0 idcr 0 p) = co _ (A s n b n l p r 0 idcr' 0 q). 



Let s : S, / : CTSeq s, r : R, idcr : (co r) = (co A), c: C, idsc : (st c) = (nxt r). 
We define an inhabitant of 

st _ (I, r, idcr, c, idsc) = st _ (pred s I r idcr c idsc) (6) 

by refl (nxt r) according to the shape of I. Again definition by cases is nec- 
essary to define this inhabitant. The following Lemma will be our main tool 
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to prove all desired properties of T. Roughly speaking it says that we get the 
same trees whether we take the subtree following the tree at b along the path 
(/, r, idcr, c, idsc) or do one step from b along this sequence (get a new b n ) and 
following the tree at b n along the path obtained from (/, r, idcr, c, idsc) by pred 
above. 

Lemma 34 (Main Lemma) 

Let s,l,r,c,b,idcr,idsc,p,q as well as s n ,b n ,l p as in Proposition 32. Then 

T R ep' s b (I, r, idcr, c, idsc) p ~ T Rep s n b n l p q 

where we obtain the left term from T Rep s b (I, r, idcr, c, idsc) p by the identity 
6. 

Proof: We have to distinguish cases I ~> (c', ids) and / ^ (/', r' , idc' , c' , ids) in 
order to have 

TRep' s b {I, r, idcr, c, idsc) p T Rep s b (/, r, idcr, c, idsc) p. 

However the proof proceeds in the same way in both cases: 

Let n : N. For n ~> zero is nothing to do. Let n ~> succ m. Let l + := 

(I, r, idcr, c, idsc) and 

c 0 :=co_(T Rep sbl + p) 

Ci := c 

c 2 := co _/ p 

c 3 :=co_(T Rep s n 6 n Z p q) 
We have 

Co = Ci = c 2 = c 3 

where the first and last equation follow with the identity 3 and the second 
with the identity 5. 

Now let r 0 : R and idcr 0 : cor 0 = cq. For i = 0,1,2 we obtain elements 
idcTi+i : coro = Cj+i from idcri by the identities above. Further we obtain 
a second element idcr' 0 : cor 0 = Co from irfcri and a second element icfcrg : 
cor 0 = C3 from irfcr 0 . We have idcr 0 = idcr' Q and idcr 3 = idcr' 3 7 . Let 

nxt Jft := nextEi _ (T Rep s b l + p) r 0 
nxt_rgt := next E , _ (T Rep 

$n b n lp 

q) r 0 

and do '■= nxt Jft idcr' Q , ct\ := nxtJft idcr 0 , ct 2 := nxt_rgt idcr^, 
ct 3 := nxt_rgt idcr' 3 . We have ct 0 = ct\ and ct 2 = ct 3 . We have to prove 

7 We do not need UIP C for this. 
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cti ~ m cts. Therefore it is enough to prove 

ct 0 ~ m ct 2 . 

Let 

c p := co _ (A s b l + r 0 icier i p), 
CpJd:— id^ D _ (A s b l + r 0 idcr\ p) 
idcp given by identity 5. 

We have 

(p, refl c p ) : set(T tree s b r 0 , idcr 1 , c p , c p Jd)) 
(q, idcp) : set(T tree s n b n (pred s l + r 0 idcr\ c p c p _ici)) 

and 

ct 0 T Rep ' s b r 0 , idcri, c p , c p Jd) (p, refl c p ) 
ct 2 T Rep s n b n (pred s Z + r 0 idcr\ c p c p _id) (q,idc p ). 

Therefore the claim follows by I.H. applied to s : S, l + : CTSeq s, r 0 : R, 
c p : C, b : B s, idcr\ : co r 0 = c, c p _iti : st c p = nxt r 0 , (p, refl c p ), (q,idc p ) and 
to : N. □ 

Corollary 35 For s : S, b : 5 s 7 r : R 7 icier : (co r) =co_(Ts 6), we have 
(elim s (T s 6)) nex t EI r idcr ~ (Prog Ts(js &))next E , r «<icr. 

Proof: Apply the Main Lemma to s, (c 0 , ids 0 ), r, ci, 6, icier, idsi, (refl c 0 , refl c 2 ), 
refl c 3 where 



c 0 


= CO _ 


(Tsb) 


icis 0 


= id^ 


-(Tsb) 


Cl 


= CO _ 


(next E | _ (T s b) r idcr) 


icisi 


= id^ 0 


_ (next E i _ (T s b) r idcr) 


c 2 


= CO _ 


(A s b (co, idso) r idcr (refl cq)) 


c 3 


= CO _ 


((g s 6) nextEI r idcr). 



□ 

Note that (Prog T s (g s 6)) nextEI r icier ~> T (nxt r) ((o s &) nextEI r icier). 
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8 Proof of the Final Coalgebra Property 

Proposition 36 If g is extensional, then T is extensional. 

Proof: We denote the equivalence relation on B by = and the witness that g 
is extensional by ext. The proof is by natural induction. Let s : S, bo, b\ : B s, 
rel : b 0 = b±, n ~> succ m : N. Let 

c 0 :=co_(T s b 0 ) 
Ci := co _ (T s bi) 
left_fun:= (g s 6 0 )next EI 
right Jun:= (g s 6i) nex t EI 

id := (ext s b 0 b\ rel)\d c : c 0 = Ci 

The term id gives the first component of the inhabitant we have to construct. 
For the second component let r : R, idcr : (co r) = c 0 . We have to prove 

(elim s (T s b 0 )) nextB r idcr ~ m (elim s (T s fei)) ne xt EI r idcr' 

where idcr' := subst id idcr. Let 6' 0 := left Tun r icier, 6^ := rightJun r icier' 
then (ext s b 0 b\ rel) fct r idcr gives b' Q = 6^ and by I.H. we have 

T (nxtr) b'o ~ m T (nxt r) b\. 

The claim follows with Corollary 35. □ 

Lemma 37 

elim o T = Prog Tog 

Proof: Let s : S, b 0 ,bi : B s, rel : b 0 = h, c 0 := ((elim o T) s 6 0 )command, 
Ci := ((Prog Tog) s &i) CO mmand- It is ici := ext s b 0 b\ rel : Co = Ci. Let n : N, 
r : R and icier : (co r) = c 0 . Then follows 

((elim o T) s 6 0 )next EI r idcr ~„ ((Prog Tog) s 6 0 )next EI r idcr' 

~„ ((Prog T o g) s 6i)nextH r idcr' 

where idcr' := subst ici icier and the first relation follows by Corollary 35 and 
the second by the extensionality of g and Prog T. □ 

Lemma 38 For V : B -»■ CT with 

elim oT'= Prog T' o g 

we have V — T. 
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Proof: Natural induction. Let s : S, 60, b\ : B s, rel : b 0 = b±, n ~> succ m : N. 
Let comm : elim o T' = Prog V o c 0 := ((elim o T') s ^command, c i : = 
((elim o T) s &i) CO mmand- Then 

id := (comm s bo b\ rel)\d c '■ Co = C\. 

Let r : R and idcr : (co r) = c 0 then 



(T' s 6 0 )next EI r idcr ~ n T' (nxt r) ((5 s &i) n ext EI r idcr') (7) 

~ n T (nxt r) ((g s &i) nex t EI r idcr') (8) 

~« (T s 6i)n«t H r idcr ' ( 9 ) 

where irfcr' := subst id idcr. The relation 7 follows by (comm s b 0 b\ rel)f ct r idcr, 
the relation 8 by the I.H. and the fact that = is reflexive and the relation 9 

by Corollary 35. □ 

Theorem 39 elim : CT — > Prog CT is a final coalgebra for Prog 

Proof: Lemmata 37 and 38. □ 



9 Carry over the Result to the original Functor of Hancock/Setzer 



In this section we are going to translate the result to the original functor 
Prog HS of Hancock/Setzer above. We first notice that we can write an uncur- 
ried version of the functor Prog as 



Prog uc X s := ^2(p: (FamToPred' st) s, 

(q : (FamToPred' co) p fst ) -> X (nxt q fst )). 

We can prove a final coalgebra theorem for this functor in the same way 
as above (this is just a rearrangement of parentheses). If (S, C, R, st, co, nxt) 
comes from an Hancock/Setzer-interface (S,C,R,n) as described in section 
2.4, Prog uc X s rewrites to 

E (p-E(sc:E(S,C),(st sc) = s), 

(q : E(scr : E(£(S, C), R'), (co scr) = U s,c) Pfet)) -> X (nxt q fst )). 

where st and co are the first projections and R' is the uncurried version of R. 
We define functions 

u_hs : Prog uc X s -> Prog HS X s 
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by 

(((s',c),id),f)^(d,f) 

where d := subst id c, /' r :— f (((s,d),r),id') and id' : (s,c') = (s',c) 
defined by structural induction on id : s' = s and 

hs_u : Prog HS X s -> Prog uc X s 

by 

(c,/)^((( S ,c),refl *),/') 
where /' p = (subst p snd f) p fst . 

We have p u_hs (hs_u p) and therefore p = u_hs (hs_u p). We define 
equivalence relations = on Prog uc X s by 

{scid 0 , fo) = (scidi, fi) 3id : scid 0 = scidi. pointeq (/q id) /i 

where f' 0 id := subst id /o and pointeq (/q id) /i expresses that (f' Q id), f± are 
pointwise equal. By structural induction on id follows that we have 



for arbitrary equivalence relations = on X. Further we have 
Proposition 40 

p = hs_u (u_hs p) 

forp: Prog uc X s. 

Proof: Let p~~> (((s' ', d) , ids) , f) . We prove 

(((s',d),ids),f) = hs_u (u_hs (((s',d),ids),f)) 

by structural induction on ids. That means we have to prove 

(«s,c'),refl s ),f) - hs_u (u_hs («s,c'),refl s),f)). 

We get an inhabitant of this type by setting the first component 

refl ((s,c'),refl s). 

The second component must now have type 

pointeq / (hs_u (c,/')) snd 

where /' := Xr : R' (s,d).f (((s, c'), r), refl (s,d)). Let sd : C) and 

((sc, r) , idsc) : J2(scr : J2(J2(S,C), R'), scrf st =J2(S,C) sc ')- By structural in- 
duction on idsc we get 

/ ((sc,r),idsc) = (subst idsc f") r 
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where /" := Ar : R' sc'.f ((sc',r), refl sc'). By setting sc' = (s,c') we get 
/ ((sc,r),idsc) = (hs_u (c, /')) snd ((sc,r) ,idsc) . 

□ 

Corollary 41 

p = Prog hs_u (u_hsp) 

forp: Prog uc X s. 

To view Prog HS as a functor in our category we must say what Prog HS is doing 
on the equivalence relations = on X. Therefore we define 

P =Pro gHS Q (hs u p) = Prog (hs_u q). 

hs_u, uJis are extensional in respect of this relations and we have 

hs_u(u_hsp) = Prog p u_hs(hs_u q) =p mgHS q, 

i.e. Prog uc X s and Prog HS X s are isomorphic in our category. We have 

UIP S, UIP C <^ UIP S A Vs : S.UIP C s. 

Therefore we get 

Theorem 42 //UIP S AVs : 5. UIP C s then uJisoelim : CT -> Prog HS CT is 

a final coalgebra for Prog HS . 

10 Related and future work 

As we have seen, working in intensional type theory becomes quite compli- 
cated. The dependency on proof objects for simple equations results in an 
intricate argumentation. We also needed the principle UIP for the sets S, C for 
our proof to go through. So, what did we gain by the result above? First of 
all as already mentioned the result can be seen as a justification for the rules 
of Hancock/ Setzer if we replace definitional equality by bisimulation and have 
UIP for the sets S, C. We are convinced that replacing definitional identity by 
bisimulation is not a serious restriction as long as we are mainly interested in 
the behaviour of programs. Results such as those in Michelbrink/Setzer [33] 
that the monad rules hold should be provable with the altered rules. There is 
also an advantage if we want to prove facts about the behaviour of concrete 
interactive programs: We proved that the functor Progns has a final coalge- 
bra whereas the rules of Hancock/Setzer give us a weakly final coalgebra only 
(uniqueness is missing). This should outweigh that concrete interactive pro- 
grams are given by extensional functions X — > Prog X whereas in the approach 
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of Hancock/Setzer any such function is sufficient. Sets S, C with UIP S, UIP C 
may as well be sufficient for practical work. However from a theoretical point 
of view this restriction is unsatisfactory. It would be nice to improve the above 
result by getting rid of these conditions. However the type theory enriched by 
the rules for a weakly final coalgebra as described in e.g. [33] results in far 
more elegant proofs. Note also that more types become definitional equal by 
these rules whereas two types which depend on bisimular programs do not 
have to be equal. Secondly a deeper analysis of the proof above and a com- 
parison with proofs in other frameworks may shed some light on why working 
in intensional type theory is so hard. The same final coalgebra construction is 
already carried out in ZFC [33] and Gambino/Hyland [13] proved an initial 
algebra theorem in extensional type theory. The problem of representing final 
coalgebras in type theory was addressed by Lindstrom [26] for the special case 
of Aczel's non-wellfounded sets. Lindstrom used an inverse-limit construction 
that requires extensional type theory. What can be said already is that the 
lack of a good concept for subsets as in set theory complicates work. Note 
that the subset theory discussed in Nordstrom et al. [34] may be of less or no 
help as long as we work in an intensional setting [38,37]. We think that Luo's 
coercive subtyping [27] may at least be a way to get crisper formulations. 
There is an increasing interest in approaches to reason in dependent type the- 
ory about imperative programming, interaction, non termination and general 
recursion. We would like to mention recent work of Michael Abbott, Thorsten 
Altenkirch, Neil Ghani and Conor McBride on containers [1,4,2,3]. The exten- 
sion of a container (the result of applying the container construction functor 
to a container) is a special variant of our functor Prog HS . More precisely a 
container with parameters is a state dependent interface with trivial n where 
the command sets do not depend on the state. A main difference to our work is 
that Abbott et al. work in an extensional type theory (the identity type is given 
by equalisers). In fact they require their ambient category to be locally carte- 
sian closed, with disjoint coproducts, W- and M-sets. Geuvers [12] investigated 
formalisations of inductive and coinductive types in different lambda calculi, 
mainly extensions of the polymorphic lambda calculus. He showed that by 
adding a categorical notion of (primitive) recursion, recursion can be defined 
by corecursion and vice versa using polymorphism. Thierry Coquand proposed 
in [7] to add a guarded proof induction principle to type theory to reason about 
infinite objects. He gives a syntactical criterion to ensure that every term has 
a head normal form. Gimenez, E. [14] formalised an extension of the Calculus 
of Construction with inductive and coinductive types using similar ideas. In 
Venanzio Capretta's [5] Ph.D. thesis coinductive types are added to Martin- 
Lof type theory with bisimulation as equality. Jean-Christophe Filiatre [10] 
interpreted Hoare triples for a programming language with both imperative 
and functional features in the Calculus of Inductive Constructions and proved 
a correctness result. There is ongoing work following the line initiated by Pe- 
ter Hancock and Anton Setzer [16-19,15,33,23] on reasoning about interfaces 
and programs using ideas from category theory and functional programming, 
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linear logic, game theory, refinement calculus and formal topology. Interfaces 
can be seen as objects in different categories and there are many interesting 
monads, comonads, adjoint situations and equivalences. In the authors paper 
[32] the notion of interfaces is generalised and simplified. With this simplified 
notion the relationship of interfaces to games becomes apparent. Stateless net- 
works like the internet are a natural application area for this simplified notion. 
As shown by Hancock/Hyvernat [15] interfaces (interaction structures) seen 
as predicate transformers give a connection to formal topology [39]. In fact 
every interface gives a natural example for a non distributive topology. This 
gives as well a (until now rather vague) interpretation of safety and liveness 
properties of programs [25]. In [23,24] Hyvernat uses interfaces to give a model 
of linear logic. 
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